Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Aurora spyware, Nail.exe[RESOLVED]


  • This topic is locked This topic is locked

#16
hulk180

hulk180

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
Nail seems to be gone. When windows boots up, a popup window says cannot find Nail.exe. However, everytime I load g2g page, I get a nuker.com popup. Is that from aurora?


Logfile of HijackThis v1.99.1
Scan saved at 4:00:17 PM, on 5/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\spf\smc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\dcfssvc.exe
D:\security suite\ewidoctrl.exe
D:\security suite\ewidoguard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Sony\giga pocket\GPVSvr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
D:\jackie\iTunesHelper.exe
D:\jackie\AD-AWA~1\Ad-Watch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/search.html
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [tgcmd] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] D:\jackie\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AWMON] "D:\jackie\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [Tkwow7x0] C:\WINDOWS\difqqwj.exe
O4 - HKLM\..\Run: [PSoft1] C:\WINDOWS\system32\psoft1.exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [othgtp] c:\windows\system32\krupvet.exe
O4 - HKCU\..\Run: [ATI Launchpad] "D:\ATI\main\launchpd.exe"
O4 - HKCU\..\Run: [MBotRhe4U] help81k.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\program files\javasoft\jre1.4\1.4.1\bin\npjpi141.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\program files\javasoft\jre1.4\1.4.1\bin\npjpi141.dll (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: ActiveGS.cab - http://www.virtualap...om/activegs.cab
O16 - DPF: JT's Blocks - http://download.game...ts/y/blt1_x.cab
O16 - DPF: Toki Toki Boom - http://download.game...nts/y/vtn_x.cab
O16 - DPF: Yahoo! Dice - http://download.game...ts/y/dct2_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potd_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.game...ts/y/ywt0_x.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsu...oad/tgctlcm.cab
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://install.wildt...iveLauncher.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...76/mcinsctl.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yim...ctl_0_0_0_1.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (CSonyPicturesGameDownloaderCtl Object) - http://www.shockwave...eDownloader.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.st.../soesysinfo.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,16/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v5.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O16 - DPF: {FF054BED-D972-4215-897E-726C3488DDBB} (sonyctl.sonycm) - http://supportcentra...oad/sonyctl.CAB
O21 - SSODL: WebExtLocation - {FE2DB5FF-5ECF-11D2-B28F-0080C8383C7B} - (no file)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - C:\WINDOWS\System32\DRIVERS\dcfssvc.exe
O23 - Service: ewido security suite control - ewido networks - D:\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ptssvc - Unknown owner - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - D:\spf\smc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application) (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (Application) (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\giga pocket\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO Media Video Server (Application) (file missing)
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file missing)
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe





Microsoft Windows XP [Version 5.1.2600]
The current date is: Mon 05/16/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first


»»»»» lagitamate file's can/will show in this section.

* UPX! C:\WINDOWS\System32\MSCLOC~1.DLL
* UPX! C:\WINDOWS\System32\MSPLOC~1.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Checking Windir\svcproc.exe and nail.exe.

»»»»» Checking for System32\DrPMon.dll.

»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C has no label.
Volume Serial Number is FC1B-D472

Directory of C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is FC1B-D472

Directory of C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»».


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\ceres
  • 0

Advertisements


#17
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
I think that nuker.com is related to spyware nuker - which is a program we don't recommend using. It's hijacking your computer as far as we know.

OK, do these now:

Download FixAgent http://www.greyknigh...py/FixAgent.zip and unzip it. Run FixAgent.exe. It should fix something. If nothing is fixed, skip to the next step for the HijackThis fixes. If something is found, also download home_missing_114 http://www.greyknigh...missing_114.zip and unzip it. Run the Home winkey missing batch file. Remember: ONLY run home_missing_114 if FixAgent found something.

Please empty any Quarantine folder in your antivirus program and purge all recovery items in the Spybot program (if you use it) before running this tool.

Download the Mwav virus checker at http://www.mwti.net/antivirus/mwav.asp (Use Link 3)

1. Save it to a folder.
2. Reboot into Safe Mode.
3. Double click the Mwav.exe file. This is a stand alone tool and NOT just a virus checker......so it won't install anything.
4. Select all local drives, scan all files, and press SCAN. When it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane......
Left click and highlight all the information in the Lower pane --- Use &CTRL C &on your keyboard to copy everything found in the lower pane and save it to a notepad file
*Note* If prompted that a virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything...but to ID the bad files.

Once you copy that to a Notepad file...highlight the text and copy it here.

Restart and post a new HijackThis and FindIt's log.
  • 0

#18
hulk180

hulk180

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
Logfile of HijackThis v1.99.1
Scan saved at 7:24:06 AM, on 5/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\spf\smc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\dcfssvc.exe
D:\security suite\ewidoctrl.exe
D:\security suite\ewidoguard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Sony\giga pocket\GPVSvr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\program files\support.com\client\bin\tgcmd.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\jackie\iTunesHelper.exe
D:\jackie\AD-AWA~1\Ad-Watch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/search.html
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [tgcmd] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] D:\jackie\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AWMON] "D:\jackie\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [Tkwow7x0] C:\WINDOWS\difqqwj.exe
O4 - HKLM\..\Run: [PSoft1] C:\WINDOWS\system32\psoft1.exe
O4 - HKLM\..\Run: [othgtp] c:\windows\system32\krupvet.exe
O4 - HKCU\..\Run: [ATI Launchpad] "D:\ATI\main\launchpd.exe"
O4 - HKCU\..\Run: [MBotRhe4U] help81k.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\program files\javasoft\jre1.4\1.4.1\bin\npjpi141.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\program files\javasoft\jre1.4\1.4.1\bin\npjpi141.dll (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: ActiveGS.cab - http://www.virtualap...om/activegs.cab
O16 - DPF: JT's Blocks - http://download.game...ts/y/blt1_x.cab
O16 - DPF: Toki Toki Boom - http://download.game...nts/y/vtn_x.cab
O16 - DPF: Yahoo! Dice - http://download.game...ts/y/dct2_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potd_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.game...ts/y/ywt0_x.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsu...oad/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://install.wildt...iveLauncher.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...76/mcinsctl.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yim...ctl_0_0_0_1.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (CSonyPicturesGameDownloaderCtl Object) - http://www.shockwave...eDownloader.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.st.../soesysinfo.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,16/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v5.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O16 - DPF: {FF054BED-D972-4215-897E-726C3488DDBB} (sonyctl.sonycm) - http://supportcentra...oad/sonyctl.CAB
O21 - SSODL: WebExtLocation - {FE2DB5FF-5ECF-11D2-B28F-0080C8383C7B} - (no file)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - C:\WINDOWS\System32\DRIVERS\dcfssvc.exe
O23 - Service: ewido security suite control - ewido networks - D:\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ptssvc - Unknown owner - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - D:\spf\smc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application) (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (Application) (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\giga pocket\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO Media Video Server (Application) (file missing)
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file missing)
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe

Edited by hulk180, 17 May 2005 - 05:39 AM.

  • 0

#19
hulk180

hulk180

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
Microsoft Windows XP [Version 5.1.2600]
The current date is: Tue 05/17/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first


»»»»» lagitamate file's can/will show in this section.

* UPX! C:\WINDOWS\System32\MSCLOC~1.DLL
* UPX! C:\WINDOWS\System32\MSPLOC~1.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Checking Windir\svcproc.exe and nail.exe.

»»»»» Checking for System32\DrPMon.dll.

»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C has no label.
Volume Serial Number is FC1B-D472

Directory of C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is FC1B-D472

Directory of C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»».


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\ceres
  • 0

#20
hulk180

hulk180

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
File c:\windows\system32\amzvpxgsby.exe tagged as "not-a-virus:AdWare.NaviPromo.c". Action Taken: No Action Taken.
Object "IBIS Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "SideFind Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "SideFind Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "BetterInternet Adware" found in File System! Action Taken: No Action Taken.
Object "BetterInternet Adware" found in File System! Action Taken: No Action Taken.
Object "DealHelper Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "BetterInternet Adware" found in File System! Action Taken: No Action Taken.
Object "HuntBar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "HuntBar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "IBIS Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "ameopt Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "Quicken Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "Claria Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "farmmext Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "farmmext Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\cpbrkpie.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\aimsp32.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\bitdefender.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\CONFLICT.1\ConnectorLauncher.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\ConnectorLauncher.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\customerclient.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\HDPlugin1015.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\Install.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\launcher.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\MediaAccX.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\msichat50.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\Playcom.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\popcaploader.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\RealArcadeRdxIE.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\ysbactivex.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\System32\BSTIEPrintCtl1.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\System32\OBXDocumentSelect.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\System32\OBXKeywordPanel.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\khooker.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\QTPlugin.OCX". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\Cpuinf32.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\ipl.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\ipla6.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\iplm5.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\iplm6.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\iplp6.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\iplpx.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\iplw7.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\DOCUME~1\Owner\LOCALS~1\Temp\_ISTMP1.DIR\_ISTMP0.DIR\FileGrp\Msvcrt10.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\adobe\photoshop elements 2\Msvcrt10.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\TypeSpt\FntNames.db". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\GB-EUC-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\GB-EUC-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\GBK-EUC-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\GBK-EUC-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\GBpc-EUC-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\GBpc-EUC-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\GBT-EUC-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\GBT-EUC-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\UniGB-UCS2-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\UniGB-UCS2-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\B5pc-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\B5pc-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\UniCNS-UCS2-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\UniCNS-UCS2-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\ETen-B5-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\ETen-B5-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\Adobe-CNS1-1". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\Adobe-CNS1-2". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\Adobe-CNS1-3". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\Adobe-GB1-3". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\Adobe-GB1-4". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\Adobe-Japan1-3". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\Adobe-Japan1-4". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\Adobe-Korea1-2". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\ETHK-B5-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\ETHK-B5-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\GBKp-EUC-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\GBKp-EUC-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\HKdla-B5-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\HKdla-B5-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\HKdlb-B5-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\HKdlb-B5-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\HKgccs-B5-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\HKgccs-B5-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\HKm314-B5-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\HKm314-B5-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\HKm471-B5-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\HKm471-B5-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\HKscs-B5-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\HKscs-B5-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\UniJISPro-UCS2-HW-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\UniJISPro-UCS2-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\83pv-RKSJ-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\90ms-RKSJ-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\90ms-RKSJ-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\90msp-RKSJ-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\90msp-RKSJ-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\90pv-RKSJ-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\Add-RKSJ-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\Add-RKSJ-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\EUC-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\EUC-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\Ext-RKSJ-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\Ext-RKSJ-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\UniJIS-UCS2-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\UniJIS-UCS2-HW-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\UniJIS-UCS2-HW-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\UniJIS-UCS2-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\UniJISB-UCS2-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\KSC-EUC-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\KSC-EUC-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\KSCms-UHC-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\KSCms-UHC-HW-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\KSCms-UHC-HW-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\KSCms-UHC-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\KSCpc-EUC-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\UniKS-UCS2-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\UniKS-UCS2-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\78-EUC-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\78-EUC-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\78-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\78-RKSJ-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\78-RKSJ-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\78-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\78ms-RKSJ-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\78ms-RKSJ-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\90pv-RKSJ-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\Add-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\Add-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\Adobe-CNS1-0". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\Adobe-GB1-0". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\Adobe-GB1-1". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\Adobe-GB1-2". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\Adobe-Japan1-0". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\Adobe-Japan1-1". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\Adobe-Japan1-2". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\Adobe-Japan2-0". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\Adobe-Korea1-0". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\Adobe-Korea1-1". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\B5-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\B5-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\CNS2-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\CNS2-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\Ext-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\Ext-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\GB-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\GB-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\GBT-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\GBT-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\GBTpc-EUC-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\GBTpc-EUC-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\Hankaku". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\Hiragana". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\Katakana". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\KSC-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\KSC-Johab-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\KSC-Johab-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\KSC-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\KSCpc-EUC-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\NWP-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\NWP-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\RKSJ-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\RKSJ-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\Roman". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\fonts\TempCMap\Reqrd\CMaps\WP-Symbol". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\78-EUC-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\78-EUC-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\78-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\78-RKSJ-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\78-RKSJ-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\78-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\78ms-RKSJ-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\78ms-RKSJ-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\83pv-RKSJ-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\90ms-RKSJ-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\90ms-RKSJ-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\90msp-RKSJ-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\90msp-RKSJ-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\90pv-RKSJ-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\90pv-RKSJ-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\Add-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\Add-RKSJ-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\Add-RKSJ-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\Add-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\Adobe-CNS1-0". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\Adobe-CNS1-1". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\Adobe-CNS1-2". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\Adobe-CNS1-3". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\Adobe-GB1-0". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\Adobe-GB1-1". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\Adobe-GB1-2". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\Adobe-GB1-3". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\Adobe-GB1-4". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\Adobe-Japan1-0". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\Adobe-Japan1-1". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\Adobe-Japan1-2". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\Adobe-Japan1-3". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\Adobe-Japan1-4". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\Adobe-Japan2-0". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\Adobe-Korea1-0". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\Adobe-Korea1-1". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\Adobe-Korea1-2". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\B5-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\B5-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\B5pc-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\B5pc-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\CNS2-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\CNS2-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\ETen-B5-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\ETen-B5-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\ETHK-B5-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\ETHK-B5-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\EUC-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\EUC-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\Ext-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\Ext-RKSJ-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\Ext-RKSJ-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\Ext-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\GB-EUC-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\GB-EUC-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\GB-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\GB-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\GBK-EUC-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\GBK-EUC-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\GBKp-EUC-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\GBKp-EUC-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\GBpc-EUC-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\GBpc-EUC-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\GBT-EUC-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\GBT-EUC-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\GBT-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\GBT-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\GBTpc-EUC-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\GBTpc-EUC-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\Hankaku". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\Hiragana". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\HKdla-B5-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\HKdla-B5-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\HKdlb-B5-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\HKdlb-B5-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\HKgccs-B5-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\HKgccs-B5-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\HKm314-B5-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\HKm314-B5-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\HKm471-B5-H". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\HKm471-B5-V". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C
  • 0

#21
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
They're back again...

Let's do this:

Download and install CleanUp http://cleanup.stevengould.org/
Download KillBox http://www.atribune....ads/KillBox.exe
Download rkfiles http://skads.org/special/rkfiles.zip and unzip the contents to a new folder on your desktop.

Download the remv3.zip at http://forums.skads....hp?showtopic=80 (look for the attachment posted in that second reply). Make a new folder on the root drive C:\ and unzip remv3.zip files into it.

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also.

Run CleanUp program now and logoff.

REBOOT TO SAFE MODE. These tools MUST be run in safe mode!
Once in safe mode, double click rkfiles.bat file to run it. It will scan for a while, so please be patient. Wait until the DOS window closes. Open the C:\log.txt it created and rename it log1.txt.

Now open the folder where you saved remv3.zip files and double click the rem.bat file and let it run. It will delete the files and remove the infection and then make a log of the files it finds. The log file will be C:\log.txt and bad1.txt

**Note** Each tool uses log.txt as it’s output file so make sure you save the entries from one tools log before running the other as it will overwrite the file if you don’t.

Reboot back to normal mode and post the contents of both the log.txt and log1.txt in your next post.
  • 0

#22
hulk180

hulk180

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
D:\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\msclock32.dll: UPX!
C:\WINDOWS\system32\msplock32.dll: UPX!
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\system32\DivX.dll: PEC2

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
Finished
bye




The batch is run from -- D:\remv3
  • 0

#23
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Make sure that Ad-watch is closed/disabled when doing this fix.

For the below fix, if you have those programs already, just run them according to what is said below.

Download Ewido Security Suite at http://www.ewido.net/en/download/ and install it. Update to the newest definitions. Do NOT run it yet.

Please download nailfix at http://users.pandora...chy/nailfix.zip (for Windows XP) or http://users.pandora...y/nailfix2k.zip (for Windows 2000) Unzip it to the desktop but do NOT run it yet.

Reboot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Download KillBox http://www.greyknigh...spy/KillBox.exe. Don't run it yet.

Once in Safe Mode, please double-click on nailfix.bat (or nailfix2k.bat if you have Windows 2000). Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Next run a full scan in Ewido. Post the log from the Ewido scan here.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/search.html
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [Tkwow7x0] C:\WINDOWS\difqqwj.exe
O4 - HKLM\..\Run: [PSoft1] C:\WINDOWS\system32\psoft1.exe
O4 - HKLM\..\Run: [othgtp] c:\windows\system32\krupvet.exe
O4 - HKCU\..\Run: [MBotRhe4U] help81k.exe
O21 - SSODL: WebExtLocation - {FE2DB5FF-5ECF-11D2-B28F-0080C8383C7B} - (no file)


Close all open windows except for HijackThis and click Fix Checked.

Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot):

C:\WINDOWS\Nail.exe
C:\WINDOWS\cfgmgr51.dll
C:\WINDOWS\difqqwj.exe
C:\WINDOWS\system32\psoft1.exe
c:\windows\system32\krupvet.exe
c:\windows\system32\help81k.exe
c:\windows\help81k.exe
C:\WINDOWS\system32\msclock32.dll
C:\WINDOWS\system32\msplock32.dll


Run CWShredder now.


Restart your computer in normal mode and post a new HijackThis log, as well as the log from the Ewido scan.
  • 0

#24
hulk180

hulk180

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:38:19 PM, 5/18/2005
+ Report-Checksum: 1ED18DA0

+ Date of database: 5/18/2005
+ Version of scan engine: v3.0

+ Duration: 59 min
+ Scanned Files: 102943
+ Speed: 28.99 Files/Second
+ Infected files: 7
+ Removed files: 7
+ Files put in quarantine: 7
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\

+ Scan result:
C:\WINDOWS\mdmwleql.exe -> Spyware.BookedSpace.e -> Cleaned with backup
C:\WINDOWS\plxqxxgf.exe -> Spyware.BookedSpace.e -> Cleaned with backup
C:\WINDOWS\rhjdbvkh.exe -> Spyware.BookedSpace.e -> Cleaned with backup
C:\WINDOWS\system32\GSMedia3.exe -> Trojan.VB.ux -> Cleaned with backup
C:\WINDOWS\ubyloeiq.exe -> Spyware.BookedSpace.e -> Cleaned with backup
C:\WINDOWS\usygtevw.exe -> Spyware.BookedSpace.e -> Cleaned with backup
C:\WINDOWS\zjzcraix.exe -> Spyware.BookedSpace.e -> Cleaned with backup


::Report End




Logfile of HijackThis v1.99.1
Scan saved at 5:49:51 PM, on 5/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\spf\smc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\dcfssvc.exe
D:\security suite\ewidoctrl.exe
D:\security suite\ewidoguard.exe
C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Sony\giga pocket\GPVSvr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\program files\support.com\client\bin\tgcmd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\Agent\mcupdui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\jackie\iTunesHelper.exe
D:\jackie\AD-AWA~1\Ad-Watch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/search.html
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [tgcmd] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] D:\jackie\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AWMON] "D:\jackie\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [Tkwow7x0] C:\WINDOWS\difqqwj.exe
O4 - HKLM\..\Run: [PSoft1] C:\WINDOWS\system32\psoft1.exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [othgtp] c:\windows\system32\krupvet.exe
O4 - HKCU\..\Run: [ATI Launchpad] "D:\ATI\main\launchpd.exe"
O4 - HKCU\..\Run: [MBotRhe4U] help81k.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\program files\javasoft\jre1.4\1.4.1\bin\npjpi141.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\program files\javasoft\jre1.4\1.4.1\bin\npjpi141.dll (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: ActiveGS.cab - http://www.virtualap...om/activegs.cab
O16 - DPF: JT's Blocks - http://download.game...ts/y/blt1_x.cab
O16 - DPF: Toki Toki Boom - http://download.game...nts/y/vtn_x.cab
O16 - DPF: Yahoo! Dice - http://download.game...ts/y/dct2_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potd_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.game...ts/y/ywt0_x.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsu...oad/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://install.wildt...iveLauncher.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...76/mcinsctl.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yim...ctl_0_0_0_1.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (CSonyPicturesGameDownloaderCtl Object) - http://www.shockwave...eDownloader.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.st.../soesysinfo.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,16/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v5.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O16 - DPF: {FF054BED-D972-4215-897E-726C3488DDBB} (sonyctl.sonycm) - http://supportcentra...oad/sonyctl.CAB
O21 - SSODL: WebExtLocation - {FE2DB5FF-5ECF-11D2-B28F-0080C8383C7B} - (no file)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - C:\WINDOWS\System32\DRIVERS\dcfssvc.exe
O23 - Service: ewido security suite control - ewido networks - D:\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ptssvc - Unknown owner - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - D:\spf\smc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application) (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (Application) (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\giga pocket\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO Media Video Server (Application) (file missing)
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file missing)
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
  • 0

#25
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
To disable Ad-Watch:

Right click on the Ad-Watch icon in the system tray.
At the bottom of the screen you will see 2 options, "Active" and "Automatic".

Active: This will turn Ad-Watch On\Off without closing it.
Automatic: Suspicious activity will be blocked automatically.

Uncheck both options.

If that doesn't work, uninstall AdWatch.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Close out all open windows and disconnect the computer from any internet access.

1. SKIP

2. SKIP

3. Run the CleanUp program you just installed and when prompted to reboot/logoff select NO.

4. Run KillBox. Go to Tools > Delete Temp Files > Click *OK* Copy and paste the following locations into KillBox one at a time. Checkmark the box that says 'Delete on Reboot' and checkmark the box 'Unregister DLL' (If available) Click the red circle with the white X and it will ask you to confirm the file for deletion, say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click NO when it asks you to reboot.

**Note** Don't let KillBox reboot the computer...Reboot manually after the fixes for the HijackThis (see below).

C:\Windows\Nail.exe
C:\WINDOWS\difqqwj.exe
C:\WINDOWS\system32\psoft1.exe
C:\WINDOWS\cfgmgr51.dll
c:\windows\system32\krupvet.exe
c:\windows\system32\help81k.exe


5. Go to Start->Run and type in cmd and hit OK. Then type in each of the following (hit Enter key after each line):

cd windows
nail.exe /FullRemove
exit


6. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/search.html
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [Tkwow7x0] C:\WINDOWS\difqqwj.exe
O4 - HKLM\..\Run: [PSoft1] C:\WINDOWS\system32\psoft1.exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [othgtp] c:\windows\system32\krupvet.exe
O4 - HKCU\..\Run: [MBotRhe4U] help81k.exe


Run CWShredder.

7. Reboot the computer now. Reconnect your internet access and post a new HijackThis log.
  • 0

Advertisements


#26
hulk180

hulk180

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
Logfile of HijackThis v1.99.1
Scan saved at 10:32:55 AM, on 5/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\spf\smc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\dcfssvc.exe
D:\security suite\ewidoctrl.exe
D:\security suite\ewidoguard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Sony\giga pocket\GPVSvr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drwtsn32.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\jackie\iTunesHelper.exe
D:\jackie\AD-AWA~1\Ad-Watch.exe
C:\Program Files\iPod\bin\iPodService.exe
D:\HJT\HijackThis.exe

O4 - HKLM\..\Run: [tgcmd] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] D:\jackie\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AWMON] "D:\jackie\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKCU\..\Run: [ATI Launchpad] "D:\ATI\main\launchpd.exe"
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\program files\javasoft\jre1.4\1.4.1\bin\npjpi141.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\program files\javasoft\jre1.4\1.4.1\bin\npjpi141.dll (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: ActiveGS.cab - http://www.virtualap...om/activegs.cab
O16 - DPF: JT's Blocks - http://download.game...ts/y/blt1_x.cab
O16 - DPF: Toki Toki Boom - http://download.game...nts/y/vtn_x.cab
O16 - DPF: Yahoo! Dice - http://download.game...ts/y/dct2_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potd_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.game...ts/y/ywt0_x.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsu...oad/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://install.wildt...iveLauncher.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...76/mcinsctl.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yim...ctl_0_0_0_1.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (CSonyPicturesGameDownloaderCtl Object) - http://www.shockwave...eDownloader.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.st.../soesysinfo.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,16/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v5.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O16 - DPF: {FF054BED-D972-4215-897E-726C3488DDBB} (sonyctl.sonycm) - http://supportcentra...oad/sonyctl.CAB
O21 - SSODL: WebExtLocation - {FE2DB5FF-5ECF-11D2-B28F-0080C8383C7B} - (no file)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - C:\WINDOWS\System32\DRIVERS\dcfssvc.exe
O23 - Service: ewido security suite control - ewido networks - D:\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ptssvc - Unknown owner - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - D:\spf\smc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application) (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (Application) (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\giga pocket\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO Media Video Server (Application) (file missing)
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file missing)
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
  • 0

#27
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
I guess that did the job :tazz:

Check and fix these also:

O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://install.wildt...iveLauncher.cab
O21 - SSODL: WebExtLocation - {FE2DB5FF-5ECF-11D2-B28F-0080C8383C7B} - (no file)


No need for a new log.

Your log is clean.

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.

Make sure to get the latest updates for Windows and Internet Explorer at http://v5.windowsupd...t.aspx?ln=en-us.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0

#28
hulk180

hulk180

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
The only popup I seem to be getting is a nuker popup whenever I load G2G page. Everything else seems to be working fine. However, after I ran cleanup the last time you told me to, my c drive disk space keeps going from about 1 gig to 40KB in a few minutes. I ran spybot, adaware, and MS antispyware and they found a few general things but my c drive space is still extremely low Any ideas what could be going on?
  • 0

#29
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Let's see what else could be wrong.

OK do the following:

Let's use a program to scan for any trojans that may exist. Download TDS-3 http://tds.diamondcs...p?page=download. Learn how to use it at http://tds.diamondcs...?page=easytouse. Make sure to update it after you installed it. You can get the manual updates at http://tds.diamondcs...php?page=update. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to 'System Testing' on the menu and choose 'Full System Scan'. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies. If you have problems copying the text, look (or search) for a file named scandump.txt and see if that has the alarms - post that here.

Also give me a new HijackThis log.
  • 0

#30
hulk180

hulk180

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
Every time I DL it and try to run it it says either files are corrupted or not a valid win32 app. I tried getting it from different links, but none seem to work.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP